Warn user in the MR Widget about erroneous schema reports

Proposal

When parsing security reports fail, we do display an error message in the pipeline:

pipeline-error

However, in the MR widget, we still display a success message which can be confusing:

Screenshot_2023-02-02_at_10.05.42

Instead, the backend could return an error message, and we could display it to the user. Something around the lines:

Parsing SAST report failed. Check the pipeline for more information.

Also, as a side note, we already display this information in the Vulnerability Report:

image

Implementation plan

backend Add errors and warnings keys to the existing REST response from EE::Projects::MergeRequestsController. These should contain the same information as contained in this example GQL query, which is a simplified version of what is used on the Pipeline -> Security page when there is a parse error on the report.

query {
  project(fullPath: "gitlab-org/govern/threat-insights-demos/verification-projects/verify-390200") {
    pipeline(iid: 2) {
      securityReportSummary {
        sast {
          scans {
            nodes {
              name
              status
              errors
              warnings
            }
          }
        }
      }
    }
  }
}
{
  "data": {
    "project": {
      "pipeline": {
        "securityReportSummary": {
          "sast": {
            "scans": {
              "nodes": [
                {
                  "name": "sast",
                  "status": "REPORT_ERROR",
                  "errors": [
                    "[Schema] property '/vulnerabilities/0/identifiers' is invalid: error_type=minItems"
                  ],
                  "warnings": []
                }
              ]
            }
          }
        }
      }
    }
  }
}

This will need to be added to the reports comparison. The errors can be obtained from Ci::Pipeline#security_scans(&:info)

note: The warnings key is not being used for the purposes of this issue, and could be omitted at the authors discretion. It's suggested for completeness and parity with the GQL query.

Example of the REST response before and after the changes.

--- response_before.json	2023-07-25 15:21:53.273508300 +1200
+++ response_after.json	2023-07-25 15:23:04.281551124 +1200
@@ -3,5 +3,9 @@
     "base_report_out_of_date": true,
     "head_report_created_at": "2023-07-24T04:11:09.514Z",
     "added": [],
-    "fixed": []
+    "fixed": [],
+    "errors": [
+      "[Schema] property '/vulnerabilities/0/identifiers' is invalid: error_type=minItems"
+    ],
+    "warnings": []

frontend Modify the merge request widget to check for elements in the errors object in the REST response and render as per the designs above if found.

Edited by Malcolm Locke